panda/board/bootstub.c

#define BOOTSTUB

#define VERS_TAG 0x53524556
#define MIN_VERSION 2

#include "config.h"
#include "obj/gitversion.h"

#ifdef STM32F4
  #include "stm32f4xx.h"
  #include "stm32f4xx_hal_gpio_ex.h"
#else
  #include "stm32f2xx.h"
  #include "stm32f2xx_hal_gpio_ex.h"
#endif

// ******************** Prototypes ********************
void puts(const char *a){ UNUSED(a); }
void puth(unsigned int i){ UNUSED(i); }
void puth2(unsigned int i){ UNUSED(i); }
typedef struct board board;
typedef struct harness_configuration harness_configuration;
// No CAN support on bootloader
void can_flip_buses(uint8_t bus1, uint8_t bus2){UNUSED(bus1); UNUSED(bus2);}
void can_set_obd(int harness_orientation, bool obd){UNUSED(harness_orientation); UNUSED(obd);}

// ********************* Globals **********************
int hw_type = 0;
const board *current_board;

// ********************* Includes *********************
#include "libc.h"
#include "provision.h"
#include "critical.h"
#include "faults.h"

#include "drivers/registers.h"
#include "drivers/interrupts.h"
#include "drivers/clock.h"
#include "drivers/llgpio.h"
#include "drivers/adc.h"
#include "drivers/pwm.h"

#include "board.h"

#include "gpio.h"

#include "drivers/spi.h"
#include "drivers/usb.h"
//#include "drivers/uart.h"

#include "crypto/rsa.h"
#include "crypto/sha.h"

#include "obj/cert.h"

#include "spi_flasher.h"

void __initialize_hardware_early(void) {
  early();
}

void fail(void) {
  soft_flasher_start();
}

// know where to sig check
extern void *_app_start[];

// FIXME: sometimes your panda will fail flashing and will quickly blink a single Green LED
// BOUNTY: $200 coupon on shop.comma.ai or $100 check.

int main(void) {
  // Init interrupt table
  init_interrupts(true);

  disable_interrupts();
  clock_init();
  detect_configuration();
  detect_board_type();

  if (enter_bootloader_mode == ENTER_SOFTLOADER_MAGIC) {
    enter_bootloader_mode = 0;
    soft_flasher_start();
  }

  // validate length
  int len = (int)_app_start[0];
  if ((len < 8) || (len > (0x1000000 - 0x4000 - 4 - RSANUMBYTES))) goto fail;

  // compute SHA hash
  uint8_t digest[SHA_DIGEST_SIZE];
  SHA_hash(&_app_start[1], len-4, digest);

  // verify version, last bytes in the signed area
  uint32_t vers[2] = {0};
  memcpy(&vers, ((void*)&_app_start[0]) + len - sizeof(vers), sizeof(vers));
  if (vers[0] != VERS_TAG || vers[1] < MIN_VERSION) {
    goto fail;
  }

  // verify RSA signature
  if (RSA_verify(&release_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
    goto good;
  }

  // allow debug if built from source
#ifdef ALLOW_DEBUG
  if (RSA_verify(&debug_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {
    goto good;
  }
#endif

// here is a failure
fail:
  fail();
  return 0;
good:
  // jump to flash
  ((void(*)(void)) _app_start[1])();
  return 0;
}
make flashing over SPI work 2017-04-28 20:32:09 -06:00			`#define BOOTSTUB`

security upgrades (#397) * security upgrades * Gated DFU entry from debug console as well 2019-12-10 09:14:30 -07:00			`#define VERS_TAG 0x53524556`
			`#define MIN_VERSION 2`

write soft flasher 2017-07-24 16:16:22 -06:00			`#include "config.h"`
			`#include "obj/gitversion.h"`

initial commit 2017-04-06 19:11:36 -06:00			`#ifdef STM32F4`
			`#include "stm32f4xx.h"`
make flashing over SPI work 2017-04-28 20:32:09 -06:00			`#include "stm32f4xx_hal_gpio_ex.h"`
initial commit 2017-04-06 19:11:36 -06:00			`#else`
			`#include "stm32f2xx.h"`
make flashing over SPI work 2017-04-28 20:32:09 -06:00			`#include "stm32f2xx_hal_gpio_ex.h"`
initial commit 2017-04-06 19:11:36 -06:00			`#endif`

Black (#254) * late usb * Added type support for black panda * Added harness presence and orientation detection * harness relay driving code * Added intercept support in black panda code. Switched around can0 and can2 * Disable ADCs after orientation detection. Ignition interrupts via harness * WIP: Hardware abstraction layer + black panda bringup * Fixed bootstub build * Fixed bootstub for pedal * Fixed infinite loops * Got CAN buses working on white again * Fixed pedal build and black can interfaces * Got CAN buses working on black panda * Finished loopback test for black panda * Erase all flash sectors on the panda. Increased binary limit. Added extra python functions. * Fixed python * Made new code MISRA compliant * Cleaned up ignition. Fixed build * Fixed health packet * Fixed CAN mode on black bug. Changed OBD to switch on ELM mode * Fixes from Github review * Fixed MISRA issue for pedal * Fixed failing gmlan tests * ELM327 safety: allow diagnostic on all buses * Cleaned up EON relay code * delete only 3 sectors instead of 11 to allow a new build to be flashed. Much faster to flash * Removed CAN only can0 output mode. Does not make sense on black panda due to reversibility issues. * Added heartbeat logic for EON code on panda. Go to NOOUTPUT if EON does not send a heartbeat for 5 seconds. * Remove all CAN buses live on EON startup. Shouldn't be necessary to have this separate case * Formatting * Added file I forgot to push * Added heartbeat to testing code to make sure EON tests don't fail. Should probably find a better way to do this though. Heartbeat thread didn't work, concurrent USB connection issues... * Safety: support black panda for Honda Bosch * Disable OBD2 if setting to NOOUTPUT mode * Run safety tests for all hw_types * Fail test if subtest fails * fix safety tests 2019-07-23 16:07:06 -06:00			`// ****************** Prototypes ******************`
			`void puts(const char *a){ UNUSED(a); }`
			`void puth(unsigned int i){ UNUSED(i); }`
			`void puth2(unsigned int i){ UNUSED(i); }`
			`typedef struct board board;`
			`typedef struct harness_configuration harness_configuration;`
			`// No CAN support on bootloader`
			`void can_flip_buses(uint8_t bus1, uint8_t bus2){UNUSED(bus1); UNUSED(bus2);}`
			`void can_set_obd(int harness_orientation, bool obd){UNUSED(harness_orientation); UNUSED(obd);}`

			`// ******************* Globals ********************`
			`int hw_type = 0;`
			`const board *current_board;`

			`// ******************* Includes *******************`
refactor libc, add crypto libraries to bootstub 2017-04-17 14:57:34 -06:00			`#include "libc.h"`
add wifi tests 2017-07-30 09:26:48 -06:00			`#include "provision.h"`
Revert "Revert "Register readback on most modules. Still need to convert the other ones (#396)"" This reverts commit 56ec215024d23681ed89cfbefeafb8ba200a664b. 2019-12-05 15:19:29 -07:00			`#include "critical.h"`
Interrupt refactor (NVIC_SM_1: #334) and Fault handling (#377) (PR #373) 2019-11-27 19:11:21 -07:00			`#include "faults.h"`
initial commit 2017-04-06 19:11:36 -06:00
Revert "Revert "Register readback on most modules. Still need to convert the other ones (#396)"" This reverts commit 56ec215024d23681ed89cfbefeafb8ba200a664b. 2019-12-05 15:19:29 -07:00			`#include "drivers/registers.h"`
Interrupt refactor (NVIC_SM_1: #334) and Fault handling (#377) (PR #373) 2019-11-27 19:11:21 -07:00			`#include "drivers/interrupts.h"`
fix bootstub build 2019-05-21 09:28:04 -06:00			`#include "drivers/clock.h"`
move llgpio to drivers 2017-07-29 18:53:39 -06:00			`#include "drivers/llgpio.h"`
Fixed USB power mode on black (#291) * Fixed USB power mode on black * bump version 2019-10-05 21:34:20 -06:00			`#include "drivers/adc.h"`
Uno (#274) * Added uno * Added usb switch support * Added PWM and IR power functions * Implemented bootkick * Added uno as a new hw type * Bumped version * Added fan control and tach readout * WIP: RTC support * Working RTC * Fixed python * Misra compliance * Added USB control messages for fan/IR power * Added USB commands + tests for fan & IR control. Fixed bootstub and pedal compilation * Added IR and fan to power saving mode * Changed defaults * Fix safety considering uno * passing safety now * Minor UNO tweaks * Fixed version * More minor temporary tweaks * Removed usb load switch from uno * Added power control for shutting down the fan completely * Disable IR LEDs by default * Fixed linter issue * Linter fix #2 2019-10-25 17:22:42 -06:00			`#include "drivers/pwm.h"`
Black (#254) * late usb * Added type support for black panda * Added harness presence and orientation detection * harness relay driving code * Added intercept support in black panda code. Switched around can0 and can2 * Disable ADCs after orientation detection. Ignition interrupts via harness * WIP: Hardware abstraction layer + black panda bringup * Fixed bootstub build * Fixed bootstub for pedal * Fixed infinite loops * Got CAN buses working on white again * Fixed pedal build and black can interfaces * Got CAN buses working on black panda * Finished loopback test for black panda * Erase all flash sectors on the panda. Increased binary limit. Added extra python functions. * Fixed python * Made new code MISRA compliant * Cleaned up ignition. Fixed build * Fixed health packet * Fixed CAN mode on black bug. Changed OBD to switch on ELM mode * Fixes from Github review * Fixed MISRA issue for pedal * Fixed failing gmlan tests * ELM327 safety: allow diagnostic on all buses * Cleaned up EON relay code * delete only 3 sectors instead of 11 to allow a new build to be flashed. Much faster to flash * Removed CAN only can0 output mode. Does not make sense on black panda due to reversibility issues. * Added heartbeat logic for EON code on panda. Go to NOOUTPUT if EON does not send a heartbeat for 5 seconds. * Remove all CAN buses live on EON startup. Shouldn't be necessary to have this separate case * Formatting * Added file I forgot to push * Added heartbeat to testing code to make sure EON tests don't fail. Should probably find a better way to do this though. Heartbeat thread didn't work, concurrent USB connection issues... * Safety: support black panda for Honda Bosch * Disable OBD2 if setting to NOOUTPUT mode * Run safety tests for all hw_types * Fail test if subtest fails * fix safety tests 2019-07-23 16:07:06 -06:00
			`#include "board.h"`

move llgpio to drivers 2017-07-29 18:53:39 -06:00			`#include "gpio.h"`

clean up flasher 2017-07-24 11:39:03 -06:00			`#include "drivers/spi.h"`
write soft flasher 2017-07-24 16:16:22 -06:00			`#include "drivers/usb.h"`
remove some dumb prints 2017-07-29 19:16:08 -06:00			`//#include "drivers/uart.h"`

signing is coming along 2017-04-25 19:03:58 -06:00			`#include "crypto/rsa.h"`
			`#include "crypto/sha.h"`

			`#include "obj/cert.h"`

make flashing over SPI work 2017-04-28 20:32:09 -06:00			`#include "spi_flasher.h"`
add bootloader lock support 2017-04-27 21:32:16 -06:00
Fix strict compiler on bootstub build 2019-07-07 16:05:47 -06:00			`void __initialize_hardware_early(void) {`
initial commit 2017-04-06 19:11:36 -06:00			`early();`
			`}`

Fix strict compiler on bootstub build 2019-07-07 16:05:47 -06:00			`void fail(void) {`
write soft flasher 2017-07-24 16:16:22 -06:00			`soft_flasher_start();`
signing is coming along 2017-04-25 19:03:58 -06:00			`}`

fix bootstub 2017-07-22 15:28:11 -06:00			`// know where to sig check`
			`extern void *_app_start[];`

Start introducing Bounties 2019-01-17 17:17:53 -07:00			`// FIXME: sometimes your panda will fail flashing and will quickly blink a single Green LED`
			`// BOUNTY: $200 coupon on shop.comma.ai or $100 check.`

Fix strict compiler on bootstub build 2019-07-07 16:05:47 -06:00			`int main(void) {`
Revert "Revert "Register readback on most modules. Still need to convert the other ones (#396)"" This reverts commit 56ec215024d23681ed89cfbefeafb8ba200a664b. 2019-12-05 15:19:29 -07:00			`// Init interrupt table`
			`init_interrupts(true);`
Interrupt refactor (NVIC_SM_1: #334) and Fault handling (#377) (PR #373) 2019-11-27 19:11:21 -07:00
Gpio race condition fix (#263) * Fixed pedal not initializing * Interrupt changes * More changes 2019-08-28 13:53:51 -06:00			`disable_interrupts();`
add mock stuff for signing 2017-04-17 14:57:34 -06:00			`clock_init();`
Black (#254) * late usb * Added type support for black panda * Added harness presence and orientation detection * harness relay driving code * Added intercept support in black panda code. Switched around can0 and can2 * Disable ADCs after orientation detection. Ignition interrupts via harness * WIP: Hardware abstraction layer + black panda bringup * Fixed bootstub build * Fixed bootstub for pedal * Fixed infinite loops * Got CAN buses working on white again * Fixed pedal build and black can interfaces * Got CAN buses working on black panda * Finished loopback test for black panda * Erase all flash sectors on the panda. Increased binary limit. Added extra python functions. * Fixed python * Made new code MISRA compliant * Cleaned up ignition. Fixed build * Fixed health packet * Fixed CAN mode on black bug. Changed OBD to switch on ELM mode * Fixes from Github review * Fixed MISRA issue for pedal * Fixed failing gmlan tests * ELM327 safety: allow diagnostic on all buses * Cleaned up EON relay code * delete only 3 sectors instead of 11 to allow a new build to be flashed. Much faster to flash * Removed CAN only can0 output mode. Does not make sense on black panda due to reversibility issues. * Added heartbeat logic for EON code on panda. Go to NOOUTPUT if EON does not send a heartbeat for 5 seconds. * Remove all CAN buses live on EON startup. Shouldn't be necessary to have this separate case * Formatting * Added file I forgot to push * Added heartbeat to testing code to make sure EON tests don't fail. Should probably find a better way to do this though. Heartbeat thread didn't work, concurrent USB connection issues... * Safety: support black panda for Honda Bosch * Disable OBD2 if setting to NOOUTPUT mode * Run safety tests for all hw_types * Fail test if subtest fails * fix safety tests 2019-07-23 16:07:06 -06:00			`detect_configuration();`
			`detect_board_type();`
wait up to 15 seconds, and detect rev c in bootstub 2017-08-25 13:02:26 -06:00
write soft flasher 2017-07-24 16:16:22 -06:00			`if (enter_bootloader_mode == ENTER_SOFTLOADER_MAGIC) {`
			`enter_bootloader_mode = 0;`
			`soft_flasher_start();`
			`}`

signing is coming along 2017-04-25 19:03:58 -06:00			`// validate length`
fix warnings in board build 2017-05-01 23:59:10 -06:00			`int len = (int)_app_start[0];`
add uart to spi flasher 2017-07-27 16:54:55 -06:00			`if ((len < 8) \|\| (len > (0x1000000 - 0x4000 - 4 - RSANUMBYTES))) goto fail;`
signing is coming along 2017-04-25 19:03:58 -06:00
			`// compute SHA hash`
fix warnings in board build 2017-05-01 23:59:10 -06:00			`uint8_t digest[SHA_DIGEST_SIZE];`
signature checking works on ST 2017-04-26 11:41:57 -06:00			`SHA_hash(&_app_start[1], len-4, digest);`
signing is coming along 2017-04-25 19:03:58 -06:00
security upgrades (#397) * security upgrades * Gated DFU entry from debug console as well 2019-12-10 09:14:30 -07:00			`// verify version, last bytes in the signed area`
			`uint32_t vers[2] = {0};`
			`memcpy(&vers, ((void*)&_app_start[0]) + len - sizeof(vers), sizeof(vers));`
			`if (vers[0] != VERS_TAG \|\| vers[1] < MIN_VERSION) {`
			`goto fail;`
			`}`

signing is coming along 2017-04-25 19:03:58 -06:00			`// verify RSA signature`
add release cert support 2017-04-28 16:06:01 -06:00			`if (RSA_verify(&release_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {`
			`goto good;`
signature checking works on ST 2017-04-26 11:41:57 -06:00			`}`
add mock stuff for signing 2017-04-17 14:57:34 -06:00
okay, release stuff is good 2017-04-28 21:13:00 -06:00			`// allow debug if built from source`
			`#ifdef ALLOW_DEBUG`
			`if (RSA_verify(&debug_rsa_key, ((void*)&_app_start[0]) + len, RSANUMBYTES, digest, SHA_DIGEST_SIZE)) {`
			`goto good;`
add release cert support 2017-04-28 16:06:01 -06:00			`}`
okay, release stuff is good 2017-04-28 21:13:00 -06:00			`#endif`
add release cert support 2017-04-28 16:06:01 -06:00
			`// here is a failure`
add uart to spi flasher 2017-07-27 16:54:55 -06:00			`fail:`
add release cert support 2017-04-28 16:06:01 -06:00			`fail();`
add uart to spi flasher 2017-07-27 16:54:55 -06:00			`return 0;`
add release cert support 2017-04-28 16:06:01 -06:00			`good:`
add mock stuff for signing 2017-04-17 14:57:34 -06:00			`// jump to flash`
Fix strict compiler on bootstub build 2019-07-07 16:05:47 -06:00			`((void(*)(void)) _app_start[1])();`
initial commit 2017-04-06 19:11:36 -06:00			`return 0;`
			`}`
Revert commits that broke USB for openpilot. Revert "fix openpilot board flashing" This reverts commit 8ff93ad5da39f8dc4bf6fe632f26418b696fd230. Revert "Fixed output_enabled led not turning off when mode changed to no output." This reverts commit 27a8af11075d92d03c389713694a879905877cf0. Revert "Fixed loopback test for new GMLAN 'can4' behavior." This reverts commit 59592f599af01a667b4fd966e613b8f504d62dc2. Revert "GMLAN is now always mapped through CAN4 (index 3)" This reverts commit 329c09102435bfd9b1fbb60694139a5ff7bf4148. Revert "Removed compile time config for CAN loopback, implemented as usb message." This reverts commit e1a4c3298557fccf854ed5cbda448f8c0015b7ea. Revert "Change all output safety mode identifier to prevent user mistakes." This reverts commit 6b363e2e92fcd5e7f25b5458fe9008ff8f9fd664. Revert "untabify" This reverts commit 191f67b083e182323ba956c3ab75df10bec2f863. Revert "Refactor of safety to support more modular additions of safety policies." This reverts commit e5b524eddc82e53587cc47dcf15b22fd35890a92. Revert "Split up some more header files into compilation units." This reverts commit e2a78912f5b649822974fc0e974ec50d9d9c7d10. Revert "Enabled emulated control writes over USB." This reverts commit 133cfe970379d6881de26289616d1d9085bb5986. Revert "Moved CAN and USART code out of main.c and into more appropriate files." This reverts commit daad2dc0620d629e7db0dd68dee5595ed2b57160. Revert "Large Panda CAN cleanup. Restrict GMLAN to valid baud rates." This reverts commit a0616a2bc2ac2bfd99223aaa84912e6f649c9d54. Revert "Panda library now correctly sends USB direction bit." This reverts commit 1712c901d4b46b2726b3165a7cb2e91c281c662b. Revert "Board makefile now automatically calculates header file dependencies." This reverts commit 4a8d4e597b397ca6d68dd5dd2a376c8354dc3422. Revert "Loopback test works over wifi. (Disable trying to send over wifi)" This reverts commit dae636968af482e170aade1d785a1e197e9f3c04. Revert "Fix legacy board build" This reverts commit 62bf4e575686c84c672eb0d341ad41f174141c2d. Revert "Style cop" This reverts commit c439f43726feb30cf2ec486ffcad6ac94ab5e128. Revert "Untabify" This reverts commit 41e5eec6211c23836535af49380f74350a0ceb12. Revert "Fixed disabling gmlan." This reverts commit 5e1e45a4afade384b628e44587dd8e37d3dcd8cd. Revert "Removed dead code, standardized canid in more commands, better erroring behavior." This reverts commit b59aeb6d87ddd85406ec42e4ed8a74a232d506a4. Revert "loopback test works with new CAN bus ids." This reverts commit 75970861cf2b025173afb906e4e243861bed506a. Revert "Large reorganization of code and early integration of can bitrate setting." This reverts commit a1ed7b62ee66ec8f56bba488c38c67b69eead8cf. 2017-07-12 12:25:10 -06:00